Data Processing Addendum

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) applies where and to the extent Privacy Laws apply to Processing of Personal Data in connection with the Agreement between Customer and Powerfleet, Inc. or its subsidiaries and affiliates (“PWFL”).

All capitalized terms used but that are not defined in this Data Processing Agreement (“DPA”) shall have the meaning given in the remainder of the Master Terms and Conditions for the Supply of Services and Equipment, which incorporates this DPA by reference.

In providing the Services under the Agreement, PWFL may Process certain Personal Information on behalf of Customer (“Customer Personal Data”). The Parties acknowledge that this DPA reflects the Parties’ agreement with regards to the Processing of Customer Personal Data, and the Parties shall comply with this DPA concerning all Customer Personal Data.

In consideration of the mutual obligations contained in this DPA, and for valuable consideration, the sufficiency of which is acknowledged, PWFL and Customer hereby enter into this Data Processing Addendum as follows:

  1. Definitions

    1. Business”, ”Business Purpose“, “Sell”, “Service Provider” and “Share” have the meaning ascribed to them in the CCPA.

    2. Data Subject” means an identified, or identifiable, natural person to whom Personal Information relates.

    3. EU/EEA Restricted Transfer” means a transfer of Personal Data by Customer to PWFL (or any onward transfer), in each case, where such transfer would be prohibited by EU GDPR in the absence of the protection for the transferred Personal Data provided by the EU Standard Contractual Clauses.

    4. EU SCCs” refers to module 2 of the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws.

    5. Personal Information” means any information that identifies, relates to, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household, or is otherwise “personal data,” “personal information,” “personally identifiable information,” or similar designation under and regulated by Privacy Law.

    6. Privacy Law” means (as applicable) (i) all applicable federal, state, territorial, and local laws, rules, directives, regulations, and governmental requirements currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or security of Personal Information, including, to (i) the extent relevant, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Privacy Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Children’s Online Privacy Protection Act, and any laws implementing, replacing or supplementing any of them, as amended, consolidated, re-enacted, or replaced from time to time; (ii) the EU General Data Protection Regulation (EU 2016/679) (“EU GDPR”), its incorporation into the laws of England and Wales, Scotland, and Northern reland by virtue of the UK European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) The Australian Privacy Act 1988, and its Privacy Principles; (iv) the South African Protection of Personal Information Act 2013 (“POPIA”); or (iii) any other applicable laws, rules, or regulations governing the collection, use, disclosure, or processing of Personal Data in any jurisdiction relevant to the Parties’ obligations under this DPA.

    7. Process(ing)” means the collection, use, modification, storage, disclosure and any other activity with respect to Personal Information that is governed by Privacy Law.

    8. Restricted Transfer(s) means either EU/EEA Restricted Transfer and/or UK Restricted Transfer

    9. Services” for the purposes of interpreting this DPA only, means Services (as defined in the Master Terms) and also includes Purchased Equipment for the purposes of interpreting this DPA only.

    10. Specified Business Purpose” means the Business Purpose(s) for Processing Personal Information, which are the Services described in the Agreement.

    11. "UK IDTA” means the International Data Transfer UK Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.

    12. UK Restricted Transfer means a transfer of Personal Data by Customer to the Supplier (or any onward transfer), in each case, where such transfer would be prohibited by UK Data Protection Laws in the absence of the protection for the transferred Personal Data provided by the UK IDTA.

  1. Processing of Personal Information.

    1. Relationship of the Parties. PWFL is the data processor and Service Provider Processing Customer Personal Data on behalf of the Customer, which is the Business and data controller for Customer Personal Data.

    2. Processing Instructions. Customer has the sole right to give PWFL instructions regarding the Processing of Customer Personal Data. Customer hereby instructs PWFL to Process Customer Personal Data to the extent required to provide the Services. If complying with an instruction by Customer could, in PWFL’s reasonable opinion, potentially cause a breach by PWFL or Customer of this DPA or Privacy Law, PWFL may notify Customer in writing and suspend execution of the instruction until PWFL receives written confirmation from Customer that compliance by PWFL with the instruction would not breach this DPA or Privacy Law.

    3. Customer Obligations. Customer covenants, represents, and warrants that: (i) Customer is solely responsible for complying with Privacy Law in regards to its role as a Business and data controller for Customer Personal Data; (ii) Customer has collected and obtained, and shall Process, Customer Personal Data in compliance with Privacy Law; and (iii) Customer providing Customer Personal Data to PWFL pursuant to the Agreement will not cause PWFL to be in violation of applicable law, including Privacy Law. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data comply, and shall comply, with Privacy Law. In addition, Customer is solely responsibile for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.

    4. PWFL Obligations. WFL will comply with all applicable Privacy Laws and only Process Customer Personal Data in accordance with the instructions provided by Customer, including the instructions in the USA, and as otherwise required by applicable law.

    5. California Specific Obligations. To the extent Customer Personal Data contains any data regulated by the CCPA, PWFL certifies, as a Service Provider to Customer, that it understands, and will comply with, the applicable restrictions outlined in the CCPA and agrees that:

      1. PWFL will Process all Customer Personal Data on behalf of the Customer only and that Customer is disclosing Customer Personal Data to PWFL only for the Specified Business Purpose;

      2. PWFL is prohibited from retaining, using, or disclosing Customer Personal Data for any purpose other than for the Specified Business Purpose, including, without limitation, from retaining, using, or disclosing such Customer Personal Data (A) for a purpose other than the Specified Business Purpose or (B) outside of the direct business relationship between the relevant Data Subject and the Customer (and PWFL on behalf of Customer);

      3. PWFL will not further collect, use, or disclose Customer Personal Data except as necessary to provide and maintain the Services;

      4. PWFL will not Sell or Share Customer Personal Data for any reason;

      5. PWFL will not, unless otherwise necessary due to the Specified Business Purpose or applicable law, combine Customer Personal Data with Personal Information it (A) receives from or on behalf of another person or third party or (B) collects from its own interactions with the applicable Data Subject;

      6. PWFL will promptly notify Customer if PWFL determines it can no longer meet any of its obligations under this DPA;

      7. If Customer believes PWFL is collecting, using, Processing, or sharing Customer Personal Data in a manner inconsistent with the Agreement (an “Unauthorized Use”), then PWFL will, upon receiving written or oral notice from Customer, cease all Processing, of Customer Personal Data; and

      8. PWFL will provide the Customer with reasonable assistance and work in good faith with the Customer in order to fully resolve and remediate the Unauthorized Use.

    6. Notwithstanding the foregoing, PWFL is permitted to use Customer Personal Data as expressly permitted under the exceptions to Service Provider use restrictions under the CCPA.

  1. Data Protection and Security

    1. Reliability and Confidentiality. PWFL will take commercially reasonable steps to ensure the reliability of any person authorized to Process Customer Personal Data and ensure that such persons have committed themselves in writing to confidentiality or are under an appropriate obligation to ensure confidentiality and comply with applicable Privacy Laws.

    2. Security Measures. PWFL will keep Customer Personal Data confidential, and implement and maintain (and require any Subprocessors that have access to Customer Personal Data to maintain) a comprehensive, effective, and documented information security program appropriate to the nature of Customer Personal Data that: (i) contains administrative, technical, and physical safeguards to identify, assess and protect against any reasonably foreseeable, anticipated, or actual threats or hazards to the security or integrity of Customer Personal Data (“Information Security Measures”), (ii) is compliant with Privacy Law. PWFL will (i) proactively monitor and review the scope of Information Security Measures regularly, and (ii) implement additional Information Security Measures to control the risks PWFL identifies through the monitoring and reviews described in (i).

  1. Incident Notification and Management

    1. Breach Notification. PWFL will notify the Customer without undue delay after the confirmation of any breach of security that resulted in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Personal Data transmitted, stored, or otherwise Processed by PWFL or any of its Subprocessors (“Security Breach”).

    2. Breach Assistance. PWFL will assist the Customer with any obligation under Privacy Law, as reasonably requested, including making notifications, regarding the Security Breach. PWFL will not make any statement or notification to any Data Subject, regulatory authority, or otherwise, regarding the Security Breach without the prior written approval of Customer unless otherwise required by applicable law.

  1. Rights of the Data Subjects. The Customer has the sole discretion in responding to rights asserted by the Data Subjects. PWFL will forward to the Customer any requests by Data Subjects relating to the Processing of Customer Personal Data by PWFL. PWFL will assist the Customer, at Customer’s cost, in fulfilling any rights of the Data Subjects to the extent that these rights relate to the Processing of Customer Personal Data by PWFL.

  1. Data Protection Assessments. PWFL shall assist the Customer, upon Customer’s request, with any obligation of Customer under Privacy Law to conduct or document data protection assessments relating to the Processing of Customer Personal Data, and where necessary, consultations with regulatory authorities in connection with the Processing of Customer Personal Data.

  1. Data Return or Deletion. Upon termination or expiration of the Agreement, PWFL will securely return or delete, at the Customer’s discretion, all Customer Personal Data, including all existing copies, unless the country’s laws to which PWFL is subject to require a more extended retention period.

  1. Subprocessors

    1. Appointment of Subprocessors. Where PWFL engages another party to Process Customer Personal Data (a “Subprocessor”):

      1. Obligations providing for at least an equal level of data protection, as established by this DPA, will be imposed on that Subprocessor by way of a written contract, such as a data processing agreement; and

      2. PWFL will remain responsible to the Customer for the performance of that Subprocessor’s obligations to the same extent as PWFL would be responsible if performing the services of the Subprocessor under the terms of this DPA.

    2. List of Current Subprocessors. PWFL may continue to use the Subprocessors already engaged by PWFL. Upon reasonable request, PWFL shall make available to Customer a list of current Subprocessors being utilized.

    3. Notification of New Subprocessors and Objection Right. PWFL will notify the Customer of any material proposed changes to its Subprocessors. PWFL will provide such notification at least twenty (20) days before engaging any new Subprocessor to Process the Customer Personal Data. The Customer may reasonably object in good faith to PWFL’s use of a new Subprocessor by notifying PWFL promptly in writing within three (3) days of receipt of PWFL’s notice. If Customer objects to a new Subprocessor as permitted, PWFL will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Customer Personal Data by the objected-to new Subprocessor. If PWFL is unable to make available such change within a reasonable period of time, not to exceed sixty (60) days, Customer will be entitled to terminate the affected Services, but only to those Services which cannot be provided by PWFL without the use of the objected-to new Subprocessor, by providing written notice to PWFL.

  1. Audits, Inspections, and Cooperation. PWFL will make available to the Customer, upon request, the information reasonably necessary to demonstrate its compliance with this DPA. PWFL will provide assistance, as reasonably requested by Customer, in connection with any audits or inspections by competent regulatory authorities or government bodies to the extent such audit relates to the Processing of Customer Personal Data under this DPA (each an “Audit”). In connection with Audits, PWFL will grant the Customer reasonable access to its business premises during PWFL’s regular business hours and make available all information reasonably necessary to demonstrate compliance with this DPA; provided, however, that such access shall be undertaken in a manner designed to cause minimal interruption to PWFL’s business operations. Customer will notify PWFL, in writing, of any such request for access relating to an Audit at least eight (8) weeks in advance. Customer may not request access relating to an Audit more than once per calendar year unless otherwise required by applicable Privacy Law.

  1. EU/EEA/UK Transfers from Customer to PWFL

    1. In respect of any EU/EEA Restricted Transfer, Customer (as “data exporter”) and PWFL (as “data importer”) with effect from the commencement of the relevant transfer hereby enter into the EU Controller to Processor SCCs as amended or replaced from time to time following an amendment or replacement by a competent authority under the relevant Privacy Law and further subject to the below options:

      Clause 7Docking clause of the EU Controller to Processor SCCs shall apply.
      Clause 9Use of subprocessors of the EU Controller to Processor SCCs "Option 2" shall apply and the “time period” shall be 30 days.
      Clause 11(a)Redress of the EU Controller to Processor SCCs, the optional language shall not apply.
      Clause 13(a)Supervision of EU Controller to Processor SCCs, the following shall be inserted: Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
      Clause 17Governing law of the EU Controller to Processor SCCs. These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Germany.
      Clause 18Choice of forum and jurisdiction of the EU Controller to Processor SCCs the Member State shall be the Member State law in which the exporting Customer entity is established.
      Annex I of the EU Controller to Processor SCCs shall be deemed to be pre-populated with the relevant sections of Appendix 2 to this PDPA and the processing operations are deemed to be those described in Appendix 1.
      Annex II of the EU Controller to Processor SCCs shall be deemed to be pre-populated with the relevant sections of Appendix 3 to this PDPA.
      Annex III of the EU Controller to Processor SCCs shall be deemed to be pre-populated with the relevant sections of Appendix 4 to this PDPA.


    2. In respect of any UK Restricted Transfer, customer (as "data exporter") and Supplier (as "data importer") with effect from the commencement of the relevant transfer hereby enter into the EU Controller to Processor SCCs (as set out above), and the EU Controller to Processor SCCs shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA, and the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in Appendix 1.

  1. Final Provisions

    1. Conflicts. In the case of any conflict or inconsistency between any of the terms or conditions of the remainder of the Agreement (except for the Third Party Terms which with respect to Third Party Services shall prevail over this USA DPA to the extent there is a conflict) or this USA DPA, the terms or conditions of this USA DPA shall control.

    2. Changes in Privacy Law. The Parties shall negotiate in good faith any amendments to this DPA that are necessary to reflect changes in Privacy Law.

    3. Governing Law and Venue. This DPA is subject to the laws of the jurisdiction as stated in the Master Agreement. The Parties exclusively submit to the courts of the chosen jurisdiction as set out in the Master Agreement.

    4. Amendments. Any amendments or supplements to, or termination of, this DPA must be in writing to be legally effective, this requirement applies accordingly to any waiver of this written form requirement. For the avoidance of doubt, any references to any written form requirement in this DPA (e.g., “written” or “in writing”) include declarations and documents in electronic and text form whether bearing a signature or not (e.g., emails, fax copies or scans).

    5. Severability. If a provision of this DPA is or becomes ineffective, in whole or in part, or if there is an omission, the remaining provisions of this DPA shall remain unaffected. In place of the ineffective provision, and to fill the omission, the Parties shall agree on a reasonable provision which comes - to the extent legally possible - closest to what the Parties agreed or would have agreed if they had considered this point.

APPENDIX 1 – DESCRIPTION OF PROCESSING

  1. Processing, Personal Data, and Data Subjects

    1. Nature and Scope: PWFL will collect, store, analyze, anonymize, and otherwise process data concerning the use of vehicles operated by the Customer, in which PWFL has, at the Customer’s request, installed equipment to collect such data from vehicles being driven by the Customer’s employees and drivers.

    2. Purpose of processing

      To collect data concerning the location of the vehicles concerned (i.e., when a vehicle is in use, the location of the driver), driving style and hours of work of the Customer’s drivers by remotely monitoring the characteristics and use of vehicles concerned. Data relating to the Customer’s drivers’ usage of PWFL‘s applications (services) and the operation of the vehicles by the drivers is collected. This data will be stored, analyzed, and otherwise processed and reported on to the Customer’s users of PWFL‘s applications (services). PWFL’s personnel will also analyze this data and provide certain recommendations to the Customer and to its staff. The purpose of this is to improve road safety, reduce vehicle operating costs, improve legal compliance and reduce carbon emissions. Data will also be collected via PWFL‘s applications (services) for the purposes of controlling and monitoring security relating to the vehicles and their cargoes. In addition, in order to benefit from future industry benchmark data and to further these same purposes, PWFL shall anonymize the Customer Data so that it does not relate to an identified or identifiable individual or is rendered anonymous in such a way that individuals are not (or are no longer) identifiable.

    3. Duration of the processing

      The processing will be carried out throughout the term of the agreement under which PWFL is providing the relevant services.

  1. Types of personal data

    IdentificationContact InformationAuthenticationLocationProfessional
    Name, Surname Identification number / License number Picture Identifiers (Driver ID, Related Site ID, Asset ID, and Tachograph Driver card number) / VideoContact number Email addressUsername and Password (controlled by the Customer / Data Subject – PWFL has no visibility or access to the Passwords)GPS co-ordinates CountryEmployer Employee ID Company ID
  1. Categories of data subject

    Employees of and workers or other persons contracted by or on behalf of the Customer (whether users, contacts, drivers or passengers in vehicles), which are the subject of an agreement between the Customer and PWFL for the provision of such services as described above.

  1. Data Retention Period(s)

    PWFL will maintain Asset and related data on the SaaS platform for the periods provided for in the PWFL Data Retention policy, which policy may be updated by PWFL from time to time.

APPENDIX 2: DESCRIPTION OF THE RESTRICTED TRANSFER

  1. LIST OF PARTIES

    Data exporter(s):

    Name: Customer, as detailed in the relevant Order Form (notwithstanding that Customer may be an entity or entities located outside of the European Union or the UK)

    Address: As detailed in the relevant Order

    Contact person’s name, position and contact details: DPO, Privacy/ Legal Team

    Activities relevant to the data transferred under these Clauses: As described in Appendix 1

    Role: Controller



    Data importer(s):

    Name: The Powerfleet entity detailed on the Order

    Address: The Powerfleet Address detailed on the Order

    Contact person’s name, position and contact details: privacy@powerfleet.com

    Activities relevant to the data transferred under these Clauses: As described in Appendix 1

    Role: Processor

  1. DESCRIPTION OF TRANSFER

    Categories of data subjects whose personal data is transferred: as set out in Appendix 1

    Categories of personal data transferred: As set out in Appendix 1

    Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: As set out in Appendix 3.

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis); the frequency of the transfer shall be determined by the parties obligations under the Master Terms and Conditions for Services and Equipment.

    Nature of the processing: As set out in Appendix 1.

    Purpose(s) of the data transfer and further processing: As set out in Appendix 1.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set out in Appendix 1

    For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing.

  1. COMPETENT SUPERVISORY AUTHORITY

    The competent authority is the data protection authority in the EU member state in which the exporting entity is established.

APPENDIX 3 – TECHNICAL AND ORGANIZATIONAL MEASURES

  1. Technical and Organisational Security Measures

    1. The technical and organisational security measures include, as a minimum standard of protection:

      1. Information security management systems;

      2. Physical security;

      3. Access control;

      4. Security and privacy enhancing technologies;

      5. Awareness, training and security checks in relation to all Processor’s employees;

      6. Incident and response management;

      7. Business continuity;

      8. Audit controls; and

      9. Due diligence.

    2. The details of the transfer of information, and in particular, the (special) categories of Personal Information are specified in Schedule 1, which forms an integral part of the Data Protection Agreement.

  2. Description of the Technical and Organisational Security Measures to be Implemented

    The Processor will implement and maintain the security measures as set out herein. Processor may update or modify such security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. The processor must give PWFL prompt written notice of any such enhancement together with such additional information as PWFL may require following receipt of such notice.

    1. Policies and Procedures

      Processor must maintain policies and procedures designed to secure Personal Information Processed against accidental or unlawful access or disclosure, and take steps to identify and minimise reasonably foreseeable internal security risks, including the following:

      1. Access Control

        1. Access to the Processor’s security operations centre (hereafter “SOC”) and Processing operations (hereafter the “System”) is granted to employees and contractors who have a legitimate business need for such access privileges.

        2. Access to the System will require a unique identification (“ID”) to establish accountability with user logins (i.e. unique and specific assigned user IDs and user passwords).

        3. Administrator and database access are restricted to authorised System and security administrators.

        4. New user access to production support is granted in accordance with a predefined role matrix. Changes to user access requires management approval.

        5. Physical access controls for Processor’s SOC facilities include access tags, perimeter fencing and in-house staffing.

      2. Operations and System Integrity

        1. Policy and procedures for processes, such as reporting operational failures, incidents, System problems, concerns, and user complaints (and the process for doing so), are made available to users and are approved by management.

        2. System capacity is reviewed periodically, and action items are defined for capacity issues.

        3. Data, transactions, and programs are backed up at a server level regularly and encrypted. (Storage level encryption for all databases where back-ups are stored and drives where data resides).

        4. The Processor monitors a variety of inputs for security incidents, and the data importer’s SOC employees will respond promptly to known incidents.

        5. IDS / IPS (intrusion detection and prevention). The Processor will perform and/or contract with third parties to perform vulnerability scans whenever major System releases are introduced with a detailed System penetration testing scheduled at least annually.

        6. Passwords are stored as a hash in the back-end environment. In addition, although passwords in transit are clear text, the point-to-point application network connectivity (customer to back-end) connection is encrypted using SSL technologies. (Data transmissions are encrypted via Transport Layer Security ("TLS") / SSL or HTTPS).

        7. Antivirus software is installed on workstations and laptops for users with access to the processing operations and the SOC.

        8. Processor’s helpdesk and System operations will make use of Perimeter Firewalls including VPN access for support processes.

        9. Data Importer’s sub-processors will be subject to review as part of the vendor risk management process, including reviewing of independent third-party reports.

        10. Business continuity and disaster recovery plans, including restoration of backups, are tested at least annually with the System configured to provide failover capabilities to permit the resumption of critical operations.

      3. Organisation of Information and Employee Security

        1. The Processor has formal organisational structures and defined roles. The security management plan and charter include an information security capability with defined responsibilities.

        2. The Processor has defined job descriptions for employees responsible for designing, developing, implementing, operating, monitoring, and maintaining the System.

        3. Background or verification checks are performed on employees when appropriate and permitted by law.

        4. Employees are required to read and accept a statement of confidentiality and undertake appropriate data security awareness training during onboarding.

        5. Employee training is regularly undertaken and performed to maintain employee competency and effectiveness.

[END OF DATA PROCESSING ADDENDUM]


Last Updated: 19 August – version 1, 2025

Corporate Hq

123 Tice Blvd. Suite 101
Woodcliff Lake, NJ 07677

Contact Us

Follow Us

Data-powered-applications

Safety and Security

Advanced Fuel Management

Maintenance and Performance

Regulatory Management And Compliance

Visibility And Resource Management

Sustainability

Customers

Implementation Services

Learning Services

Support Services

Customer Stories

Resources

Resource Center

Customer Stories

Upcoming Events

Blog

About Us

About Us

Meet the Team

Careers

News & Press Releases

Investor Relations

©2025 Powerfleet. All Rights Reserved

Privacy Policy    Terms of Use